On the host being monitored the firewall has to allow in UDP with destination port 161. These are the SNMP probes from the monitor.
On the monitoring host the firewall has to allow in UDP with a source port of 161 from the IP of the host being monitored. These are the answers to the SNMP probes.
That's an afternoon of my life I won't get back. :-/